Facebook harvested the email contacts of 1.5 million users without their knowledge or consent when they opened their accounts.
Business Insider has learned that since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network. The Silicon Valley company said the contacts were “unintentionally uploaded to Facebook,” and it is now deleting them. You can read Facebook’s full statement below.
The revelation comes after a security researcher noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities, a move widely condemned by security experts. Business Insider then discovered that if you entered your email password, a message popped up saying it was “importing” your contacts, without asking for permission first.
At the time, it wasn’t clear what was happening — but a Facebook spokesperson has now confirmed that 1.5 million people’s contacts were collected this way and fed into Facebook’s systems, where they were used to build Facebook’s web of social connections and recommend friends to add. It’s not immediately clear if these contacts were also used for ad-targeting purposes.
The “importing contacts” dialogue box in question. Screenshot/Rob